ab#75723

Author: Lee Fine

CHANGELOG.md

@@ -1,7 +1,5 @@
 v2.12.0
-- Added config.json setting and its override store level custom field - AllowShellCommands.  If "N" (default "Y"), SFTP will be used to create stores and move files on Linux-based certificate store servers.  No Linux shell commands will be used in the integration.  Limitations when running in this mode exist:
-  - config.json/custom field values SeparateUploadFilePath, DefaultLinuxPermissionsOnStoreCreation, DefaultOwnerOnStoreCreation, LinuxFilePermissionsOnStoreCreation, and LinuxFileOwnerOnStoreCreation cannot be used and will be ignored
-  - rare issue where a certificate store user id having an expired password causes the orchestrator to hang when attempting an SFTP/SCP connection will NOT be able to be caught and handled
+- Added config.json setting and its override store level custom field - AllowShellCommands.  If "N" (default "Y"), SFTP will be used to create stores and move files on Linux-based certificate store servers.  No Linux shell commands will be used in the integration.
 
 v2.11.4
 - Bug Fix: Handle condition where a certificate store definition that contains an invalid value for `FileTransferProtocol` 

RemoteFile/ApplicationSettings.cs

@@ -41,6 +41,7 @@ public enum FileTransferProtocolEnum
         public static string DefaultSudoImpersonatedUser { get { return configuration.ContainsKey("DefaultSudoImpersonatedUser") ? configuration["DefaultSudoImpersonatedUser"] : DEFAULT_SUDO_IMPERSONATION_SETTING; } }
         public static bool CreateCSROnDevice { get { return configuration.ContainsKey("CreateCSROnDevice") ? configuration["CreateCSROnDevice"]?.ToUpper() == "Y" : false; } }
         public static string TempFilePathForODKG { get { return configuration.ContainsKey("TempFilePathForODKG") ? configuration["TempFilePathForODKG"] : string.Empty; } }
+        public static bool UseShellCommands { get { return configuration.ContainsKey("UseShellCommands") ? configuration["UseShellCommands"]?.ToUpper() == "Y" : false; } }
         public static int SSHPort
         {
             get

RemoteFile/Discovery.cs

@@ -59,7 +59,7 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd
                 ApplicationSettings.Initialize(this.GetType().Assembly.Location);
 
                 certificateStore = new RemoteCertificateStore(config.ClientMachine, userName, userPassword, directoriesToSearch[0].Substring(0, 1) == "/" ? RemoteCertificateStore.ServerTypeEnum.Linux : RemoteCertificateStore.ServerTypeEnum.Windows, ApplicationSettings.SSHPort);
-                certificateStore.Initialize(ApplicationSettings.DefaultSudoImpersonatedUser);
+                certificateStore.Initialize(ApplicationSettings.DefaultSudoImpersonatedUser, true);
 
                 if (directoriesToSearch.Length == 0)
                     throw new RemoteFileException("Blank or missing search directories for Discovery.");

RemoteFile/InventoryBase.cs

@@ -40,7 +40,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                 SetJobProperties(config, config.CertificateStoreDetails, logger);
 
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, FileTransferProtocol, SSHPort, IncludePortInSPN);
-                certificateStore.Initialize(SudoImpersonatedUser);
+                certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
                 certificateStore.LoadCertificateStore(certificateStoreSerializer, true);
 
                 List<X509Certificate2Collection> collections = certificateStore.GetCertificateChains();

RemoteFile/ManagementBase.cs

@@ -38,7 +38,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                 SetJobProperties(config, config.CertificateStoreDetails, logger);
 
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, FileTransferProtocol, SSHPort, IncludePortInSPN);
-                certificateStore.Initialize(SudoImpersonatedUser);
+                certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
 
                 PathFile storePathFile = RemoteCertificateStore.SplitStorePathFile(config.CertificateStoreDetails.StorePath);
 

RemoteFile/ReenrollmentBase.cs

@@ -68,7 +68,7 @@ public JobResult ProcessJobToDo(ReenrollmentJobConfiguration config, SubmitReenr
                 ApplicationSettings.FileTransferProtocolEnum fileTransferProtocol = ApplicationSettings.FileTransferProtocol;
 
                 certificateStore = new RemoteCertificateStore(config.CertificateStoreDetails.ClientMachine, UserName, UserPassword, config.CertificateStoreDetails.StorePath, StorePassword, fileTransferProtocol, SSHPort, IncludePortInSPN);
-                certificateStore.Initialize(SudoImpersonatedUser);
+                certificateStore.Initialize(SudoImpersonatedUser, UseShellCommands);
 
                 PathFile storePathFile = RemoteCertificateStore.SplitStorePathFile(config.CertificateStoreDetails.StorePath);
 

RemoteFile/RemoteCertificateStore.cs

@@ -453,14 +453,14 @@ internal string GenerateCSROnDevice(string subjectText, SupportedKeyTypeEnum key
             return csr;
         }
 
-        internal void Initialize(string sudoImpersonatedUser)
+        internal void Initialize(string sudoImpersonatedUser, bool useShellCommands)
         {
             logger.MethodEntry(LogLevel.Debug);
 
             bool treatAsLocal = Server.ToLower().EndsWith(LOCAL_MACHINE_SUFFIX);
 
             if (ServerType == ServerTypeEnum.Linux || RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
-                RemoteHandler = treatAsLocal ? new LinuxLocalHandler() as IRemoteHandler : new SSHHandler(Server, ServerId, ServerPassword, ServerType == ServerTypeEnum.Linux, FileTransferProtocol, SSHPort, sudoImpersonatedUser) as IRemoteHandler;
+                RemoteHandler = treatAsLocal ? new LinuxLocalHandler() as IRemoteHandler : new SSHHandler(Server, ServerId, ServerPassword, ServerType == ServerTypeEnum.Linux, FileTransferProtocol, SSHPort, sudoImpersonatedUser, useShellCommands) as IRemoteHandler;
             else
                 RemoteHandler = new WinRMHandler(Server, ServerId, ServerPassword, treatAsLocal, IncludePortInSPN);
 

RemoteFile/RemoteFileJobTypeBase.cs

@@ -29,6 +29,7 @@ public abstract class RemoteFileJobTypeBase
         internal bool IncludePortInSPN { get; set; }
         internal ApplicationSettings.FileTransferProtocolEnum FileTransferProtocol { get; set; }
         internal bool CreateCSROnDevice { get; set; }
+        internal bool UseShellCommands { get; set; }
         internal string KeyType { get; set; }
         internal int KeySize { get; set; }
         internal string SubjectText { get; set; }
@@ -57,7 +58,7 @@ internal void SetJobProperties(JobConfiguration config, CertificateStore certifi
                 ApplicationSettings.DefaultSudoImpersonatedUser :
                 properties.SudoImpersonatedUser.Value;
 
-            SSHPort = properties.SSHPort == null || string.IsNullOrEmpty(properties.SSHPort.Value) || !int.TryParse(properties.SSHPort.Value, out int notUsed) ?
+            SSHPort = properties.SSHPort == null || string.IsNullOrEmpty(properties.SSHPort.Value) || !int.TryParse(properties.SSHPort.Value, out int _) ?
                 ApplicationSettings.SSHPort :
                 properties.SSHPort;
 
@@ -73,6 +74,10 @@ internal void SetJobProperties(JobConfiguration config, CertificateStore certifi
                 ApplicationSettings.CreateCSROnDevice :
                 Convert.ToBoolean(properties.CreateCSROnDevice.Value);
 
+            UseShellCommands = properties.UseShellCommands == null || string.IsNullOrEmpty(properties.UseShellCommands.Value) || !int.TryParse(properties.UseShellCommands.Value, out int _) ?
+                ApplicationSettings.UseShellCommands :
+                properties.UseShellCommands;
+
             FileTransferProtocol = ApplicationSettings.FileTransferProtocol;
             if (properties.FileTransferProtocol != null && !string.IsNullOrEmpty(properties.FileTransferProtocol.Value))
             {

RemoteFile/RemoteHandlers/SSHHandler.cs

@@ -31,18 +31,20 @@ class SSHHandler : BaseRemoteHandler
         private string SudoImpersonatedUser { get; set; }
         private ApplicationSettings.FileTransferProtocolEnum FileTransferProtocol { get; set; }
         private bool IsStoreServerLinux { get; set; }
+        private bool UseShellCommands { get; set; }
         private string UserId { get; set; }
         private string Password { get; set; }
         private SshClient sshClient;
 
-        internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux, ApplicationSettings.FileTransferProtocolEnum fileTransferProtocol, int sshPort, string sudoImpersonatedUser)
+        internal SSHHandler(string server, string serverLogin, string serverPassword, bool isStoreServerLinux, ApplicationSettings.FileTransferProtocolEnum fileTransferProtocol, int sshPort, string sudoImpersonatedUser, bool useShellCommands)
         {
             _logger.MethodEntry(LogLevel.Debug);
 
             Server = server;
             SudoImpersonatedUser = sudoImpersonatedUser;
             FileTransferProtocol = fileTransferProtocol;
             IsStoreServerLinux = isStoreServerLinux;
+            UseShellCommands = useShellCommands;
             UserId = serverLogin;
             Password = serverPassword;
 
@@ -80,7 +82,8 @@ internal SSHHandler(string server, string serverLogin, string serverPassword, bo
                 sshClient.Connect();
 
                 //method call below necessary to check edge condition where password for user id has expired. SCP (and possibly SFTP) download hangs in that scenario
-                CheckConnection();
+                if (useShellCommands)
+                    CheckConnection();
             }
             catch (Exception ex)
             {
@@ -368,13 +371,18 @@ public override void CreateEmptyStoreFile(string path, string linuxFilePermissio
             if (IsStoreServerLinux)
             {
                 string pathOnly = string.Empty;
-                SplitStorePathFile(path, out pathOnly, out _);
+                string fileName = string.Empty;
+                SplitStorePathFile(path, out pathOnly, out fileName);
 
                 linuxFilePermissions = string.IsNullOrEmpty(linuxFilePermissions) ? GetFolderPermissions(pathOnly) : linuxFilePermissions;
                 linuxFileOwner = string.IsNullOrEmpty(linuxFileOwner) ? GetFolderOwner(pathOnly) : linuxFileOwner;
 
                 AreLinuxPermissionsValid(linuxFilePermissions);
-                RunCommand($"install -m {linuxFilePermissions} -o {linuxFileOwner} {linuxFileGroup} /dev/null {path}", null, ApplicationSettings.UseSudo, null);
+
+                if (UseShellCommands)
+                    RunCommand($"install -m {linuxFilePermissions} -o {linuxFileOwner} {linuxFileGroup} /dev/null {path}", null, ApplicationSettings.UseSudo, null);
+                else
+                    UploadCertificateFile(pathOnly, fileName, Array.Empty<byte>());
             }
             else
                 RunCommand($@"Out-File -FilePath ""{path}""", null, false, null);

docsource/content.md

@@ -185,11 +185,15 @@ restrictions will be in place when using RemoteFile in this mode:
 LinuxFilePermissionsOnStoreCreation, and LinuxFileOwnerOnStoreCreation are not supported and will be ignored.  As a result, file
 permissions and ownership when creating a certificate store or adding a certificate to an existing store will be based
 on the user assigned to the Command certificate store and other Linux environmental settings.
-2. A rare issue exists where a certificate store user id having an expired password causes the orchestrator to hang when attempting an 
+2. Discovery jobs are excluded and will still use the shell `find` command
+3. A rare issue exists where a certificate store user id having an expired password causes the orchestrator to hang when attempting an 
 SFTP/SCP connection.  A modification was added to check for this condition.  Running RemoteFile with Use Shell Commands = N will 
 cause this validation check to NOT occur.
-3. Both RFORA and RFKDB use proprietary CLI commands in order to manage their respective certificate stores.  These commands
+4. Both RFORA and RFKDB use proprietary CLI commands in order to manage their respective certificate stores.  These commands
 will still be executed when Use Shell Commands is set to Y.
+5. If executing in local mode (|LocalMachine at the end of your client machine name for your certificate store), Use Shell
+Commands = 'N' will have no effect.  Shell commands will continue to be used because there will be no SSH connection
+available to use SFTP with.
 
 
 ## Developer Notes